In modern electronic computing and communications systems, usernames and passwords are widely used. From human users to applications that automatically communicate over networks, usernames and passwords (and similar credentials) are routinely used for authentication and providing access to various types of applications. Authentication schemes based on usernames and passwords provide a basic level of security, so that attackers cannot freely impersonate or misuse the accounts or resources of other identities.
The widespread use of usernames and passwords, however, gives rise to several significant technical problems. When users choose passwords, they tend to favor simple and easy-to-remember passwords, which can be easy to steal or replicate. These problems are worsened when users rely on a single password for two or more services, since one theft of the password can result in two different misuses of the password. To address this, some password management schemes require users to have long passwords, or passwords containing unusual characters, which become difficult for users to remember. When users forget their password, they are often required to reset their password or contact an IT support department, which imposes usability and efficiency impediments for both the user and the enterprise they are interacting with. Passwords that are chosen for users are often similarly hard to remember for users and result in the same problems. In addition, requirements to periodically change passwords further accentuate these problems, with users having increased difficulty remembering their changing passwords. Even passwords used by autonomously communicating applications have usability and security drawbacks. These passwords are often hard-coded into applications, which make the applications vulnerable to password theft and misuse.
Another response to the potential weaknesses in usernames and passwords is two-factor authentication. But this too has drawbacks. While two-factor authentication can make it more difficult for an attacker to impersonate a user or steal their credentials, two-factor authentication can be problematic when one form of the authentication (e.g., Internet-based prompts, cellular-based prompts, etc.) is unavailable. For example, when a user is traveling and has no Internet or cellular coverage, two-factor authentication may be unavailable. Further, two-factor authentication is vulnerable to network delays and can be cumbersome for users to manage. Additionally, some forms of two-factor authentication require a user to carry a special-purpose authentication tool (e.g., an RSA™ SecurID fob), which may be inconvenient for users and thus lead to insecure work-around solutions where users try to bypass such security requirements.
Accordingly, in view of these and other deficiencies in existing techniques for authenticating users, applications, or other identities, technological solutions are needed for providing secure authentication without undue complexity or usability deficiencies. As discussed below, the technological limitations in existing authentication schemes may be addressed by implementing a security service to interact with a user's personal computing device. When authentication of the user or their device is needed, the security service can generate a unique ID and encode it into a code (e.g., visual code, audible code, etc.) that is made available to the personal computing device. The personal computing device can then decode the code to reveal the unique ID. The personal computing device can further utilize a biometric identification of the user (e.g., based on a fingerprint, retinal scan, facial scan, etc.) to retrieve a locally stored cryptographic key, and sign a communication back to the security service containing the unique ID. The security service can then verify the signature of the communication based on a corresponding cryptographic key it holds. If the signature is verified, the security service may authenticate the user or their personal computing device, or may further authorize the user or their device to perform actions (e.g., access secure applications, perform transactions, access physical locations, etc.).
Notably, using these techniques, even if an attacker wrongfully gains access to the encoded code and is able to decode the code, they will still not be authenticated. The attacker will not have the biometrics of the rightful user and will not be able to access the encrypted cryptographic key stored on the personal computing device for use in signing a communication back to the security service. Indeed, even if the attacker gains access to both the encoded code and the user's personal computing device, they will still not be authenticated, since they will lack the biometrics needed to decrypt the encrypted cryptographic key stored on the personal computing device. As discussed further below, variations on this secure authentication process are contemplated as well.
Additional techniques described below, which address the above and other problems with conventional data communication techniques, include utilizing machine-readable codes to provide for secure communications or sessions. As discussed below, a cryptographic key may be encoded into a machine-readable code and made available to a personal computing device. A corresponding key may be made available to a target resource The personal computing device may scan and decode the code, thus revealing the cryptographic key, which may be used by the personal computing device to encrypt a data communication to be transmitted to the secure target resource. The secure target resource, having access to its corresponding cryptographic key, can then decrypt the communication, thus confirming the validity of the communication and its transmission from an authorized personal computing device. Thereafter, a communications session between the personal computing device and the secure target resource may be secured. As with the above techniques, this process may further involve the personal computing device utilizing the user's biometric data to retrieve an encrypted cryptographic key from the personal computing device, which may be used to authenticate the user of the personal computing device.